Best Practices for responding to "Left Alone" in the virus or threat history log
Updated On:15-05-2020 11:58
When Symantec Endpoint Protection (SEP) locates a risk, the result or action taken may be recorded in the risk history and displayed as "Left Alone".
Risk was found within an archive: either an autoprotect scan blocked the extraction of that file from a zip/tar/etc archive or the archive was examined by a manual or scheduled scan. In either case, SEP will not delete or repair the larger archive since it may result in the deletion or corruption of other necessary files. This is the cause of many "left alone" messages.
Limited permissions: If Auto-Protect does not have the appropriate permissions to take action on the file attempting to execute, SEP will show the status of left alone. In most cases you should also notice the file execution was denied access. This means while Auto-Protect is unable to Quarantine or Delete the file, it is still able to stop the file from executing.
Existing Risk: Once a risk has launched and potentially infected the system, the risk’s file is protected by the Windows Operating System due to the running process. Therefore, Auto-Protect will be unable to take action against the file while it is in use. You may see a “Left Alone” action followed by a second message that shows the file/files were Quarantined or Deleted. This is due to the Side Effects Engine which has the ability to suspend the process and allow SEP to take action on the infected file. (NOTE: In some cases this requires a reboot and SEP will display “Restart required” in the action dialog box)
Action set to Leave Alone (Log Only): Denies any access to the file, displays a notification, and logs the event. Use this option to take manual control of how the scan handles the detection. You can specify an action for the detection in the Risk log.
File does not exist: If SEP detects a malicious file attempting to write to the drive, it may deny the file access. A marker will be temporarily placed in the Temp directory, but no file actually exists. This can be verified by reviewing the location of the detection and checking for the presence of the detected file.
Defwatch Scanning: When SEP updates the virus definitions a "DefWatch" scan is automatically run to determine if anything that has already been quarantined can be repaired with the new definitions. Therefore, any scan of scan type "DefWatch" with the action “Left Alone” can be disregarded. Another scan—a "Quickscan"—is also run once the quarantine scan has been completed. Therefore, it is possible to see a risk outside of quarantine "Left Alone" by Defwatch. In this case it is important to look for a second action of Deleted/Quarantined once the Side Effects engine suspends the process and attempts to take action.